On May 20, 2014, the United States Department of Health and Human Services (the “Department”) submitted reports to Congress detailing certain compliance and enforcement activities under the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”). One report describes the Department’s compliance and enforcement activities with respect to the HIPAA Privacy, Security, and Breach Notification Rules, while the other report focuses on breaches of unsecured protected health information. The reports detail the consequences of failing to comply with HIPAA, including the imposition of civil monetary penalties, and provide an important reminder to HIPAA covered entities, such as group health plans and health care providers, and business associates to covered entities of the need to establish policies and procedures and take appropriate actions to comply with HIPAA and its implementing regulations.

HIPAA provides a variety of protections for individuals’ health information. Among other things, the HIPAA Privacy Rule establishes a general right for individuals to access, review, and amend their protected health information (“PHI”). The HIPAA Privacy Rule also requires covered entities to take reasonable efforts to request, disclose, and use only the minimum amount of PHI needed to accomplish the intended purpose. Covered entities must also develop and implement policies and procedures that restrict the access and use of PHI.

The HIPAA Breach Notification Rule generally requires covered entities to notify the Department, affected individuals and, in certain cases, the media following the discovery of a breach of unsecured PHI. Business associates must notify covered entities if they discover a breach.

Report Findings

The report to Congress describes the Department’s process of enforcing the HIPAA Privacy, Security, and Breach Notification Rules and provides detailed information regarding the Department’s activities, such as the number of complaints it received and closed, its investigated resolutions, its compliance reviews, and the issues and entities the Department investigated. For example, in 2012, the Department received over 10,000 complaints and investigated more than 3,300 complaints.

The report highlights the consequences of failing to comply with HIPAA, which include the payment of resolution amounts, required workforce HIPAA training, third-party monitoring of HIPAA compliance, and the imposition of civil monetary penalties. Examples of some of these violations and consequences include:

A hospital agreed to pay $1 million after an employee lost the PHI of 192 patients by leaving documents on a subway train.

An insurance company agreed to pay $1.5 million after 57 unencrypted computer hard drives containing the names, dates of birth, and Social Security numbers of over 1 million individuals were stolen from a leased facility.

A state’s department of health and social services agreed to pay $1.7 million after a USB hard drive that possibly contained ePHI was stolen from an employee’s vehicle.

A hospital agreed to pay $1.5 million because an unencrypted personal laptop containing ePHI of patients and research subjects was stolen.

The Department imposed a $4.3 million penalty on a health clinic which denied 41 patients access to their medical records. $1.3 million of this penalty was for the HIPAA violation and $3 million was for the clinic’s failure to cooperate with the Department’s investigation.

The report also describes the Department’s audit pilot project of covered entities and business associates. A total of 115 covered entities were audited, including 47 health plans, 61 health care providers, and seven health care clearinghouses. According to the report, a majority of the entities audited, especially the smaller entities, were deficient in complying with the HIPAA Privacy, Security, and Breach Notification Rules. The report notes the Department is committed to integrating HIPAA audits in its 2014 enforcement program.

HIPAA Breaches of Unsecured Protected Health Information Report

Background

Federal law generally defines “unsecured PHI” as PHI that is not secured through the use of a methodology or technology specified in regulatory guidance that renders PHI unreadable, indecipherable, or unusable to unauthorized persons. Regulatory guidance identifies destruction and encryption as the methods and technologies for rendering PHI unreadable, indecipherable, or unusable to unauthorized persons. A “breach” is generally defined as the access, use, acquisition, or disclosure of PHI in a manner not authorized by the HIPAA Privacy Rule which compromises the privacy or security of the PHI. HIPAA generally requires covered entities to notify the Department, affected individuals and, in certain cases, the media following the discovery of a breach of unsecured PHI. Business associates must notify covered entities if they discover a breach.

Report Findings

The report to Congress enumerates the number of breach reports the Department received and the number of individuals affected. The report describes the causes of breaches, such as theft, loss, and improper disposal of electronic devices/equipment and paper records containing ePHI or PHI. For example, in 2012, the Department received 222 reports of large breaches (breaches involving 500 or more individuals) which affected more than 3.2 million individuals. Causes of the breaches included theft of electronic equipment/portable devices or paper documents containing PHI, loss of electronic media or paper records containing PHI, hacking of electronic equipment or network servers, and improper disposal of PHI.

The report explains the Department’s enforcement activities with respect to breaches. Breaches have resulted in covered entities paying compliance amounts, conducting and documenting risk analyses, implementing workforce HIPAA training, and engaging third-party monitoring of HIPAA compliance. For example, one managed health care provider agreed to pay $1.7 million to settle potential violations of the HIPAA Security and Privacy Rules after an investigation revealed a security weakness in an online application database that made the ePHI of more than 600,000 individuals accessible to unauthorized individuals over the Internet. Similarly, a health insurance company agreed to pay more than $1.2 million after an investigation determined it had disclosed the ePHI of more than 300,000 individuals when the company failed to properly erase a photocopier hard drive before returning it to the leasing company.

The report also describes the Department’s audits of covered entities and business associates. As part of an audit pilot program, 101 covered entities were audited for compliance with the Breach Notification Rule. According to the report, common reasons covered entities failed to comply with the HIPAA Rules included the covered entity being unaware of the requirements or the covered entity not fully implementing HIPAA’s requirements.

Next Steps for Covered Entities and Business Associates

The reports to Congress serve as important reminders of the need to establish and maintain robust HIPAA compliance policies and procedures and the severe consequences, such as multi million dollar civil penalties, that may result from noncompliance. Covered entities and business associates should:

Review and, if necessary, revise HIPAA policies and procedures.

Train appropriate staff on HIPAA compliance policies and procedures. “Refresher” training should be provided periodically to update staff on new HIPAA developments and remind staff members of the importance of HIPAA compliance.

Establish appropriate safeguards for PHI and ePHI. Special consideration should be given to devices that may store ePHI, such as photocopier hard drives, scanners, fax machines, smartphones, computers, and USB drives.

Conduct and document risk analysis that complies with the HIPAA Security Rule.

Develop and implement a risk management plan, as required by the HIPAA Security Rule.

The views expressed in this document are solely the views of the author and not Martindale-Hubbell. This document is intended for informational purposes only and is not legal advice or a substitute for consultation with a licensed legal professional in a particular case or circumstance.